| Message ID | 1574942971-49208-1-git-send-email-pannengyuan@huawei.com |
|---|---|
| State | New |
| Headers | show |
| Series | [V2] block/nbd: fix memory leak in nbd_open() | expand |
On Thu, Nov 28, 2019 at 08:09:31PM +0800, pannengyuan@huawei.com wrote: > From: PanNengyuan <pannengyuan@huawei.com> > > In currently implementation there will be a memory leak when > nbd_client_connect() returns error status. Here is an easy way to > reproduce: > > 1. run qemu-iotests as follow and check the result with asan: > ./check -raw 143 > > Following is the asan output backtrack: > Direct leak of 40 byte(s) in 1 object(s) allocated from: > #0 0x7f629688a560 in calloc (/usr/lib64/libasan.so.3+0xc7560) > #1 0x7f6295e7e015 in g_malloc0 (/usr/lib64/libglib-2.0.so.0+0x50015) > #2 0x56281dab4642 in qobject_input_start_struct /mnt/sdb/qemu-4.2.0-rc0/qapi/qobject-input-visitor.c:295 > #3 0x56281dab1a04 in visit_start_struct /mnt/sdb/qemu-4.2.0-rc0/qapi/qapi-visit-core.c:49 > #4 0x56281dad1827 in visit_type_SocketAddress qapi/qapi-visit-sockets.c:386 > #5 0x56281da8062f in nbd_config /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1716 > #6 0x56281da8062f in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1829 > #7 0x56281da8062f in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873 > > Direct leak of 15 byte(s) in 1 object(s) allocated from: > #0 0x7f629688a3a0 in malloc (/usr/lib64/libasan.so.3+0xc73a0) > #1 0x7f6295e7dfbd in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4ffbd) > #2 0x7f6295e96ace in g_strdup (/usr/lib64/libglib-2.0.so.0+0x68ace) > #3 0x56281da804ac in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1834 > #4 0x56281da804ac in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873 > > Indirect leak of 24 byte(s) in 1 object(s) allocated from: > #0 0x7f629688a3a0 in malloc (/usr/lib64/libasan.so.3+0xc73a0) > #1 0x7f6295e7dfbd in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4ffbd) > #2 0x7f6295e96ace in g_strdup (/usr/lib64/libglib-2.0.so.0+0x68ace) > #3 0x56281dab41a3 in qobject_input_type_str_keyval /mnt/sdb/qemu-4.2.0-rc0/qapi/qobject-input-visitor.c:536 > #4 0x56281dab2ee9 in visit_type_str /mnt/sdb/qemu-4.2.0-rc0/qapi/qapi-visit-core.c:297 > #5 0x56281dad0fa1 in visit_type_UnixSocketAddress_members qapi/qapi-visit-sockets.c:141 > #6 0x56281dad17b6 in visit_type_SocketAddress_members qapi/qapi-visit-sockets.c:366 > #7 0x56281dad186a in visit_type_SocketAddress qapi/qapi-visit-sockets.c:393 > #8 0x56281da8062f in nbd_config /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1716 > #9 0x56281da8062f in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1829 > #10 0x56281da8062f in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873 > > Reported-by: Euler Robot <euler.robot@huawei.com> > Signed-off-by: PanNengyuan <pannengyuan@huawei.com> > --- > Changes v2 to v1: > - add a new function to do the common cleanups (suggested by Stefano Garzarella). > --- > block/nbd.c | 26 ++++++++++++++++---------- > 1 file changed, 16 insertions(+), 10 deletions(-) > > diff --git a/block/nbd.c b/block/nbd.c > index 1239761..f8aa2a8 100644 > --- a/block/nbd.c > +++ b/block/nbd.c > @@ -94,6 +94,8 @@ typedef struct BDRVNBDState { > > static int nbd_client_connect(BlockDriverState *bs, Error **errp); > > +static void nbd_free_bdrvstate_prop(BDRVNBDState *s); > + > static void nbd_channel_error(BDRVNBDState *s, int ret) > { > if (ret == -EIO) { > @@ -1486,6 +1488,17 @@ static int nbd_client_connect(BlockDriverState *bs, Error **errp) > } > } > > +static void nbd_free_bdrvstate_prop(BDRVNBDState *s) > +{ > + object_unref(OBJECT(s->tlscreds)); > + qapi_free_SocketAddress(s->saddr); > + g_free(s->export); > + g_free(s->tlscredsid); > + if (s->x_dirty_bitmap) { ^ it is not needed, g_free() handles NULL pointers. > + g_free(s->x_dirty_bitmap); > + } > +} > + Please, split this patch in two patches: - the first patch where you add this function and use it in nbd_process_options() and nbd_close() - the second patch where you fix the leak in nbd_open() Thanks, Stefano > /* > * Parse nbd_open options > */ > @@ -1855,10 +1868,7 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options, > > error: > if (ret < 0) { > - object_unref(OBJECT(s->tlscreds)); > - qapi_free_SocketAddress(s->saddr); > - g_free(s->export); > - g_free(s->tlscredsid); > + nbd_free_bdrvstate_prop(s); > } > qemu_opts_del(opts); > return ret; > @@ -1881,6 +1891,7 @@ static int nbd_open(BlockDriverState *bs, QDict *options, int flags, > > ret = nbd_client_connect(bs, errp); > if (ret < 0) { > + nbd_free_bdrvstate_prop(s); > return ret; > } > /* successfully connected */ > @@ -1937,12 +1948,7 @@ static void nbd_close(BlockDriverState *bs) > BDRVNBDState *s = bs->opaque; > > nbd_client_close(bs); > - > - object_unref(OBJECT(s->tlscreds)); > - qapi_free_SocketAddress(s->saddr); > - g_free(s->export); > - g_free(s->tlscredsid); > - g_free(s->x_dirty_bitmap); > + nbd_free_bdrvstate_prop(s); > } > > static int64_t nbd_getlength(BlockDriverState *bs) > -- > 2.7.2.windows.1 > > > --
On 2019/11/28 21:36, Stefano Garzarella wrote: > On Thu, Nov 28, 2019 at 08:09:31PM +0800, pannengyuan@huawei.com wrote: >> From: PanNengyuan <pannengyuan@huawei.com> >> >> In currently implementation there will be a memory leak when >> nbd_client_connect() returns error status. Here is an easy way to >> reproduce: >> >> 1. run qemu-iotests as follow and check the result with asan: >> ./check -raw 143 >> >> Following is the asan output backtrack: >> Direct leak of 40 byte(s) in 1 object(s) allocated from: >> #0 0x7f629688a560 in calloc (/usr/lib64/libasan.so.3+0xc7560) >> #1 0x7f6295e7e015 in g_malloc0 (/usr/lib64/libglib-2.0.so.0+0x50015) >> #2 0x56281dab4642 in qobject_input_start_struct /mnt/sdb/qemu-4.2.0-rc0/qapi/qobject-input-visitor.c:295 >> #3 0x56281dab1a04 in visit_start_struct /mnt/sdb/qemu-4.2.0-rc0/qapi/qapi-visit-core.c:49 >> #4 0x56281dad1827 in visit_type_SocketAddress qapi/qapi-visit-sockets.c:386 >> #5 0x56281da8062f in nbd_config /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1716 >> #6 0x56281da8062f in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1829 >> #7 0x56281da8062f in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873 >> >> Direct leak of 15 byte(s) in 1 object(s) allocated from: >> #0 0x7f629688a3a0 in malloc (/usr/lib64/libasan.so.3+0xc73a0) >> #1 0x7f6295e7dfbd in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4ffbd) >> #2 0x7f6295e96ace in g_strdup (/usr/lib64/libglib-2.0.so.0+0x68ace) >> #3 0x56281da804ac in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1834 >> #4 0x56281da804ac in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873 >> >> Indirect leak of 24 byte(s) in 1 object(s) allocated from: >> #0 0x7f629688a3a0 in malloc (/usr/lib64/libasan.so.3+0xc73a0) >> #1 0x7f6295e7dfbd in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4ffbd) >> #2 0x7f6295e96ace in g_strdup (/usr/lib64/libglib-2.0.so.0+0x68ace) >> #3 0x56281dab41a3 in qobject_input_type_str_keyval /mnt/sdb/qemu-4.2.0-rc0/qapi/qobject-input-visitor.c:536 >> #4 0x56281dab2ee9 in visit_type_str /mnt/sdb/qemu-4.2.0-rc0/qapi/qapi-visit-core.c:297 >> #5 0x56281dad0fa1 in visit_type_UnixSocketAddress_members qapi/qapi-visit-sockets.c:141 >> #6 0x56281dad17b6 in visit_type_SocketAddress_members qapi/qapi-visit-sockets.c:366 >> #7 0x56281dad186a in visit_type_SocketAddress qapi/qapi-visit-sockets.c:393 >> #8 0x56281da8062f in nbd_config /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1716 >> #9 0x56281da8062f in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1829 >> #10 0x56281da8062f in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873 >> >> Reported-by: Euler Robot <euler.robot@huawei.com> >> Signed-off-by: PanNengyuan <pannengyuan@huawei.com> >> --- >> Changes v2 to v1: >> - add a new function to do the common cleanups (suggested by Stefano Garzarella). >> --- >> block/nbd.c | 26 ++++++++++++++++---------- >> 1 file changed, 16 insertions(+), 10 deletions(-) >> >> diff --git a/block/nbd.c b/block/nbd.c >> index 1239761..f8aa2a8 100644 >> --- a/block/nbd.c >> +++ b/block/nbd.c >> @@ -94,6 +94,8 @@ typedef struct BDRVNBDState { >> >> static int nbd_client_connect(BlockDriverState *bs, Error **errp); >> >> +static void nbd_free_bdrvstate_prop(BDRVNBDState *s); >> + >> static void nbd_channel_error(BDRVNBDState *s, int ret) >> { >> if (ret == -EIO) { >> @@ -1486,6 +1488,17 @@ static int nbd_client_connect(BlockDriverState *bs, Error **errp) >> } >> } >> >> +static void nbd_free_bdrvstate_prop(BDRVNBDState *s) >> +{ >> + object_unref(OBJECT(s->tlscreds)); >> + qapi_free_SocketAddress(s->saddr); >> + g_free(s->export); >> + g_free(s->tlscredsid); >> + if (s->x_dirty_bitmap) { > ^ it is not needed, g_free() handles NULL pointers. >> + g_free(s->x_dirty_bitmap); >> + } >> +} >> + > > Please, split this patch in two patches: > - the first patch where you add this function and use it in > nbd_process_options() and nbd_close() > - the second patch where you fix the leak in nbd_open() > > Thanks, > Stefano Thanks, I will change and split it in next version. > >> /* >> * Parse nbd_open options >> */ >> @@ -1855,10 +1868,7 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options, >> >> error: >> if (ret < 0) { >> - object_unref(OBJECT(s->tlscreds)); >> - qapi_free_SocketAddress(s->saddr); >> - g_free(s->export); >> - g_free(s->tlscredsid); >> + nbd_free_bdrvstate_prop(s); >> } >> qemu_opts_del(opts); >> return ret; >> @@ -1881,6 +1891,7 @@ static int nbd_open(BlockDriverState *bs, QDict *options, int flags, >> >> ret = nbd_client_connect(bs, errp); >> if (ret < 0) { >> + nbd_free_bdrvstate_prop(s); >> return ret; >> } >> /* successfully connected */ >> @@ -1937,12 +1948,7 @@ static void nbd_close(BlockDriverState *bs) >> BDRVNBDState *s = bs->opaque; >> >> nbd_client_close(bs); >> - >> - object_unref(OBJECT(s->tlscreds)); >> - qapi_free_SocketAddress(s->saddr); >> - g_free(s->export); >> - g_free(s->tlscredsid); >> - g_free(s->x_dirty_bitmap); >> + nbd_free_bdrvstate_prop(s); >> } >> >> static int64_t nbd_getlength(BlockDriverState *bs) >> -- >> 2.7.2.windows.1 >> >> >> >
diff --git a/block/nbd.c b/block/nbd.c index 1239761..f8aa2a8 100644 --- a/block/nbd.c +++ b/block/nbd.c @@ -94,6 +94,8 @@ typedef struct BDRVNBDState { static int nbd_client_connect(BlockDriverState *bs, Error **errp); +static void nbd_free_bdrvstate_prop(BDRVNBDState *s); + static void nbd_channel_error(BDRVNBDState *s, int ret) { if (ret == -EIO) { @@ -1486,6 +1488,17 @@ static int nbd_client_connect(BlockDriverState *bs, Error **errp) } } +static void nbd_free_bdrvstate_prop(BDRVNBDState *s) +{ + object_unref(OBJECT(s->tlscreds)); + qapi_free_SocketAddress(s->saddr); + g_free(s->export); + g_free(s->tlscredsid); + if (s->x_dirty_bitmap) { + g_free(s->x_dirty_bitmap); + } +} + /* * Parse nbd_open options */ @@ -1855,10 +1868,7 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options, error: if (ret < 0) { - object_unref(OBJECT(s->tlscreds)); - qapi_free_SocketAddress(s->saddr); - g_free(s->export); - g_free(s->tlscredsid); + nbd_free_bdrvstate_prop(s); } qemu_opts_del(opts); return ret; @@ -1881,6 +1891,7 @@ static int nbd_open(BlockDriverState *bs, QDict *options, int flags, ret = nbd_client_connect(bs, errp); if (ret < 0) { + nbd_free_bdrvstate_prop(s); return ret; } /* successfully connected */ @@ -1937,12 +1948,7 @@ static void nbd_close(BlockDriverState *bs) BDRVNBDState *s = bs->opaque; nbd_client_close(bs); - - object_unref(OBJECT(s->tlscreds)); - qapi_free_SocketAddress(s->saddr); - g_free(s->export); - g_free(s->tlscredsid); - g_free(s->x_dirty_bitmap); + nbd_free_bdrvstate_prop(s); } static int64_t nbd_getlength(BlockDriverState *bs)